Apple uses UDID to track in-app purchases associated with hack

Apple is continuing its fight against a Russian hacker who is supplying a way for iPhone users to download in-app purchases without paying. The company is now including a unique identifier in all in-app purchase receipts, according to MacRumors.

Last week Russian hacker Alexey V. Borodin developed a way for iPhone users to steal in-app purchases without having to jailbreak their phones. The method involved installing two security certificates and change the DNS settings on the phone to download in-app purchases over a special connection. Apple soon came after Borodin, shutting down his IP’s access to Apple servers and asking his Internet service provider to take down his website, In-App.com. Borodin, however, dodged Apple’s efforts by setting up his website outside of Russia and devising a way to steal in-app purchases without going through Apple’s App Store servers.

However, Apple isn’t giving up just yet. As MacRumors observes, the company is now tracking the UDID associated with each in-app purchase. That is, Apple is watching the unique identifier associated with each phone that performs this transaction. It is then sending that data on the receipts to the developers.

Apple recently decided to start rejecting applications using UDIDs, since gathering data from them is a slippery privacy slope. MacRumors notes that this could be a placeholder for a new type of identification that will be associated with each in-app purchase, or it could be that Apple wants to know which users specifically are stealing in-app purchases using Borodin’s system.

For now, Borodin continues to use his YouTube account, ZonD80, to promote his tactics, though Apple had his first video introducing the hack taken down.